2. Organization of Information Security

This category focuses on establishing a management framework to initiate and control the implementation and operation of information security within the organization. It includes assigning roles and responsibilities, establishing governance structures, and coordinating with external parties to ensure comprehensive information security management.

Controls (A.6):

  • A.6.1.1: Information Security Roles and Responsibilities

  • A.6.1.2: Segregation of Duties

  • A.6.1.3: Contact with Authorities

  • A.6.1.4: Contact with Special Interest Groups

  • A.6.1.5: Information Security in Project Management

Control A.6.1.1: Information Security Roles and Responsibilities

Audit Questions:

  • Are specific information security roles and responsibilities assigned and documented?

  • How are these roles communicated to employees?

  • Is there a process for reviewing and updating these roles?

Common Non-Conformities (NC):

  • Undefined or unclear roles and responsibilities.

  • Lack of documentation for roles and responsibilities.

  • Inadequate communication of roles to employees.

  • Roles not reviewed or updated regularly.

Control A.6.1.2: Segregation of Duties

Audit Questions:

  • Is there a segregation of duties to reduce the risk of unauthorized access or fraud?

  • How is segregation of duties implemented and monitored?

Common Non-Conformities (NC):

  • Insufficient segregation of duties.

  • Lack of monitoring and enforcement of segregation policies.

Control A.6.1.3: Contact with Authorities

Audit Questions:

  • Is there a documented process for contacting relevant authorities during security incidents?

  • How frequently are contact details reviewed and updated?

Common Non-Conformities (NC):

  • No documented process for contacting authorities.

  • Outdated or incorrect contact details.

Control A.6.1.4: Contact with Special Interest Groups

Audit Questions:

  • Does the organization maintain contact with relevant special interest groups or industry bodies?

  • How does this contact help in staying updated with information security trends and threats?

Common Non-Conformities (NC):

  • No established contact with relevant groups.

  • Lack of participation in industry forums or special interest groups.

Control A.6.1.5: Information Security in Project Management

Audit Questions:

  • How is information security integrated into project management processes?

  • Are information security risks assessed and managed in all projects?

Common Non-Conformities (NC):

  • Information security not integrated into project management.

  • Lack of risk assessment for information security in projects.

Previous1. Information Security PoliciesNext3. Human Resource Security

Last updated